From owner-svn-src-head@freebsd.org Wed Jul 29 17:05:32 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED09E3AEC65; Wed, 29 Jul 2020 17:05:32 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BH0Km5SMPz42Jm; Wed, 29 Jul 2020 17:05:32 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9E88D2332B; Wed, 29 Jul 2020 17:05:32 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 06TH5WLN054754; Wed, 29 Jul 2020 17:05:32 GMT (envelope-from mjg@FreeBSD.org) Received: (from mjg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 06TH5Wlb054752; Wed, 29 Jul 2020 17:05:32 GMT (envelope-from mjg@FreeBSD.org) Message-Id: <202007291705.06TH5Wlb054752@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mjg set sender to mjg@FreeBSD.org using -f From: Mateusz Guzik Date: Wed, 29 Jul 2020 17:05:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r363668 - in head/sys: kern security/mac X-SVN-Group: head X-SVN-Commit-Author: mjg X-SVN-Commit-Paths: in head/sys: kern security/mac X-SVN-Commit-Revision: 363668 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2020 17:05:33 -0000 Author: mjg Date: Wed Jul 29 17:05:31 2020 New Revision: 363668 URL: https://svnweb.freebsd.org/changeset/base/363668 Log: vfs: elide MAC-induced locking on rename if there are no relevant hoooks Modified: head/sys/kern/vfs_syscalls.c head/sys/security/mac/mac_framework.c head/sys/security/mac/mac_framework.h Modified: head/sys/kern/vfs_syscalls.c ============================================================================== --- head/sys/kern/vfs_syscalls.c Wed Jul 29 17:04:33 2020 (r363667) +++ head/sys/kern/vfs_syscalls.c Wed Jul 29 17:05:31 2020 (r363668) @@ -3541,6 +3541,33 @@ sys_renameat(struct thread *td, struct renameat_args * UIO_USERSPACE)); } +#ifdef MAC +static int +kern_renameat_mac(struct thread *td, int oldfd, const char *old, int newfd, + const char *new, enum uio_seg pathseg, struct nameidata *fromnd) +{ + int error; + + NDINIT_ATRIGHTS(fromnd, DELETE, LOCKPARENT | LOCKLEAF | SAVESTART | + AUDITVNODE1, pathseg, old, oldfd, &cap_renameat_source_rights, td); + if ((error = namei(fromnd)) != 0) + return (error); + error = mac_vnode_check_rename_from(td->td_ucred, fromnd->ni_dvp, + fromnd->ni_vp, &fromnd->ni_cnd); + VOP_UNLOCK(fromnd->ni_dvp); + if (fromnd->ni_dvp != fromnd->ni_vp) + VOP_UNLOCK(fromnd->ni_vp); + if (error != 0) { + NDFREE(fromnd, NDF_ONLY_PNBUF); + vrele(fromnd->ni_dvp); + vrele(fromnd->ni_vp); + if (fromnd->ni_startdir) + vrele(fromnd->ni_startdir); + } + return (error); +} +#endif + int kern_renameat(struct thread *td, int oldfd, const char *old, int newfd, const char *new, enum uio_seg pathseg) @@ -3553,30 +3580,19 @@ kern_renameat(struct thread *td, int oldfd, const char again: bwillwrite(); #ifdef MAC - NDINIT_ATRIGHTS(&fromnd, DELETE, LOCKPARENT | LOCKLEAF | SAVESTART | - AUDITVNODE1, pathseg, old, oldfd, - &cap_renameat_source_rights, td); - if ((error = namei(&fromnd)) != 0) - return (error); - error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp, - fromnd.ni_vp, &fromnd.ni_cnd); - VOP_UNLOCK(fromnd.ni_dvp); - if (fromnd.ni_dvp != fromnd.ni_vp) - VOP_UNLOCK(fromnd.ni_vp); - if (error != 0) { - NDFREE(&fromnd, NDF_ONLY_PNBUF); - vrele(fromnd.ni_dvp); - vrele(fromnd.ni_vp); - if (fromnd.ni_startdir) - vrele(fromnd.ni_startdir); - return (error); - } -#else + if (mac_vnode_check_rename_from_enabled()) { + error = kern_renameat_mac(td, oldfd, old, newfd, new, pathseg, + &fromnd); + if (error != 0) + return (error); + } else { +#endif NDINIT_ATRIGHTS(&fromnd, DELETE, WANTPARENT | SAVESTART | AUDITVNODE1, - pathseg, old, oldfd, - &cap_renameat_source_rights, td); + pathseg, old, oldfd, &cap_renameat_source_rights, td); if ((error = namei(&fromnd)) != 0) return (error); +#ifdef MAC + } #endif fvp = fromnd.ni_vp; NDINIT_ATRIGHTS(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE | Modified: head/sys/security/mac/mac_framework.c ============================================================================== --- head/sys/security/mac/mac_framework.c Wed Jul 29 17:04:33 2020 (r363667) +++ head/sys/security/mac/mac_framework.c Wed Jul 29 17:05:31 2020 (r363668) @@ -139,6 +139,7 @@ FPFLAG(vnode_check_read); FPFLAG(vnode_check_write); FPFLAG(vnode_check_mmap); FPFLAG_RARE(vnode_check_poll); +FPFLAG_RARE(vnode_check_rename_from); #undef FPFLAG #undef FPFLAG_RARE @@ -427,6 +428,8 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_ar .flag = &mac_vnode_check_mmap_fp_flag }, { .offset = FPO(vnode_check_poll), .flag = &mac_vnode_check_poll_fp_flag }, + { .offset = FPO(vnode_check_rename_from), + .flag = &mac_vnode_check_rename_from_fp_flag }, }; static void Modified: head/sys/security/mac/mac_framework.h ============================================================================== --- head/sys/security/mac/mac_framework.h Wed Jul 29 17:04:33 2020 (r363667) +++ head/sys/security/mac/mac_framework.h Wed Jul 29 17:05:31 2020 (r363668) @@ -482,6 +482,10 @@ mac_vnode_check_poll(struct ucred *active_cred, struct #endif int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); +#define mac_vnode_check_rename_from_enabled() __predict_false(mac_vnode_check_rename_from_fp_flag) +#ifdef MAC +extern bool mac_vnode_check_rename_from_fp_flag; +#endif int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,